Thursday 14 June 2012 6:04:54 pm - 4 replies
I have a little question about ezjscore. If you check the site.ini of ezsjcore you can see that the anonymous user have access to call and hello views :
[RoleSettings] PolicyOmitList=ezjscore/hello PolicyOmitList=ezjscore/call
If a anonymous user enter the following url : http://my-domain.com/ezjscore/call/ezjscnode::subtree::5
He can list the user account. I can comment the PolicyOmitList but if I upgrade ezpublish the changes will be removed.
However If I create a new server functions the anonymous user can't access to it unless I configure the rights.
Is there a way to block the access of ezjscnode to the anonymous users ?
Friday 15 June 2012 7:46:52 am
You can Reset The [RoleSettings] in the override/site.ini.append.php. But then you have to add all PolicyOmitList entries which are set in custom extension you need.
[RoleSettings] PolicyOmitList PolicyOmitList=user/login PolicyOmitList=user/logout PolicyOmitList=user/register PolicyOmitList=user/activate PolicyOmitList=user/success PolicyOmitList=user/forgotpassword PolicyOmitList=layout #PolicyOmitList=manual #PolicyOmitList=ezinfo/copyright #PolicyOmitList=ezinfo/about #PolicyOmitList=paypal/notify_url #PolicyOmitList=ezjscore/hello #PolicyOmitList=ezjscore/call
So you have under control what a anonymous user should be has access to by default.
For user who have access to ezjscore/call you have to create a policy in the ezbackend.
Hope this will help.
Modified on Friday 15 June 2012 7:48:33 am by Felix Woldt
You must be logged in to post messages in this topic!